Search in:

Twitter tightens security after high-profile breaches

Twitter is adding an extra security measure to users' accounts following a series of high-profile breaches by hackers hitting media organisations and others.

Twitter said in a blog post that users will be able to enrol in a login verification program. For those who sign up, Twitter will send a six-digit code in a text message each time they sign in to Twitter.com. Besides their username and password, users will have to enter the code as well to log in.

The company describes the feature as "a second check to make sure it's really you".

"Of course, even with this new security option turned on, it's still important for you to use a strong password and follow the rest of our advice for keeping your account secure," said Jim O'Leary of Twitter Product Security.

Advertisement

Microsoft, Google and Facebook already allow two-step verification as an option. Twitter has been criticised for not having this option, especially following recent breaches of Twitter accounts belonging to major news organisations and other companies. Twitter reportedly began testing the security measure in April.

Unlike the other internet companies, though, Twitter will ask users for a verification code each time they log out and log back in, even if it's from the same computer. The others allow you to bypass that if you are using the same computer regularly. Microsoft began offering two-step verification last month. Facebook and Google have offered it longer.

Twitter users can sign up for two-step verification under their account settings. To do this, Twitter will ask for either a confirmed email address associated with the account or a phone number that's been verified.

While Twitter has seen phenomenal growth as a social media outlet, its security has been questioned. Twitter said in February it was hit by a sophisticated cyber attack and that the passwords of about 250,000 users were stolen.

Johnannes Ullrich, a security specialist with the SANS Technology Institute, said two-factor authentication "is the right step forward" but may not thwart the kind of attacks seen on Twitter feeds.

"With compromised media accounts, another issue is password sharing, which may hinder adoption of two-factor authentication in environments that need it most until respective social media suites that are used by larger companies are updated to support Twitter's two-factor authentication scheme," Ullrich said.

James Gabberty, professor of information systems at Pace University, said the new verification system appeared positive but "it depends on how they deploy it".

He said the decision to use a separate communications channel such as a mobile phone is "generally very safe" but that it is preferable if the phone and internet services are different carriers with "a different architecture".

"If it is a different company, then this is extremely safe and gives a very high level of assurance that the integrity of the message is not compromised."

But Gabberty said Twitter still has other security problems that need to be addressed, such as requiring strong passwords and frequent changes in passwords.

"I stay away from Twitter because it's such an insecure system. It's begging to be hacked," he said.

The Syrian Electronic Army, which appears to be aligned with the government of President Bashar al-Assad, has claimed credit for hacking AFP, AP, BBC, The Guardian and other news organisations in recent months.

Earlier this month, the Twitter feed of satirical US news website The Onion was also taken over by the Syrian group aiming to inject its own sardonic spin on the deadly conflict.

The Onion posted details of how its feed was hijacked, describing how emails were sent to some employees in a phishing spoof to gain access to passwords.

1 comment

Why can't the users ISP "id" be included in all Twitter/Facebook posts - that would make finding the abusers very easy and discourage unsociable behaviour.The "social" media is becoming very "unsociable".